Where was Waldo?
I was talking to some really, really smart folks last week about some things you could do with data that resulted from computer forensic analysis, and the topic of geolocation came up. I had some ideas, and when I returned from my trip, I started taking a look into how I could use historical information derived from an acquired image to perform geolocation. I sat down yesterday...it was rainy, so it's a nice day to code...and worked up a proof-of-concept that came out quite nicely.
So basically, here's how it works....during the course of an exam, you may determine that the system was used to connect to multiple wireless access points (WAPs). As discussed earlier, there may be more than just the SSID of the WAP recorded in the Registry...for example, the MAC address of the WAP is also recorded. Pretty neat.
So what? So you have a MAC address...what would you do with this information? Look up the vendor? Well...that's a start, as it can help you confirm that you do, in fact, have the right type of device. But in a few easy steps, you may be able to find out where that WAP is physically located. I put heavy emphasis on may because this isn't a 100% done deal...but it is way kewl nonetheless.
So the steps go a little something like this...
1. Run RegRipper (or rip or even ripXP) against the Software hive to get the SSID and MAC address of the WAP, as well as the last time the WAP was connected to. For XP systems, the updated ssid plugin is what you want to use, and for Vista and above systems, I wrote a plugin called networklist.
Note: There's a date associated with the SSID within the binary data of the Registry value on XP systems...however, I have no idea what this date means. On Vista systems and above, the MAC address has a distinct value (ie, does not need to be stripped out of a binary data stream), and a date/time stamp that indicates when the WAP was last connected to.
As an example, here's the data I retrieved from an XP system:
Launching ssid v.20090807
SSID
Microsoft\WZCSVC\Parameters\Interfaces
NIC: 11a/b/g Wireless LAN Mini PCI Express Adapter
Key LastWrite: Thu Feb 7 10:38:43 2008 UTC
Wed Oct 3 16:44:25 2007 tmobile MAC: 00-19-07-5B-36-92
For completeness sake, the output of the networklist plugin looks like this:
Launching networklist v.20090811
Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
linksys
Key LastWrite : Mon Feb 18 16:02:48 2008 UTC
DateLastConnected: Mon Feb 18 11:02:48 2008
DateCreated : Sat Feb 16 12:02:15 2008
DefaultGatewayMac: 00-0F-66-58-41-ED
2. Submit your MAC address to the SkyHook WiFi Geolocation database...for metropolitan areas, you may get a lat/long pair back...it's not guaranteed, of course.
C:\Perl>skyhook.pl 00-19-07-5B-36-92
Latitude = 38.9454029
Longitude = -77.4444937
Note: The code for skyhook.pl was based on this code...many thanks to Joshua! I'm doing this on Windows, and I couldn't find a version of XML::LibXML that installed on Windows, so I used XML::Simple. Also, I made a number of other modifications with respect to programming style, but Joshua did most of the heavy lifting.
3. Using the lat/long pair, create a URL for Google Maps (you can include some additional information, such as the SSID and date last connected), which will give you a map with a pushpin and any additional information you add. For multiple WAPs and to plot multiple pushpins on the same map, you may need to create a KML or KMZ file and host it someplace that can be reached by Google Maps, and then submit the appropriate URL (on the KML Update page, hover over the link that ends in cropcircles.kmz...).
For the WAP in our example, the URL might look like this. Here's an article that describes how WiFi geolocation can be used to recover stolen laptops.
Again, this isn't 100%. Not every area is mapped, and its highly unlikely that SOHO WAPs have been mapped. Still, if you can get something out of this, it might be useful.
Resources
Google Gears Geolocation API gets Wifi
SkyHook Wireless How It Works page
Firefox GeoLocation add-on
Addendum: Updated my Perl script tonight, thanks to input from Colin Shepard on Net::MAC::Vendor (for Windows, download the .tar.gz file, can extract the .pm file into site\lib\Net\MAC in your Perl install...). Now, the script takes either a WAP MAC address (if no SSID is provided, uses "Unknown") or the path to a file containing MAC addresses and SSIDs on single lines, separated by semi-colons. The output is any vendor and address information returned by the OUI lookup, and a URL that can be pasted into your browser window to get a Google Map (if lat/longs are available). For example:
C:\Perl>maclookup.pl -w 00:19:07:5B:36:92 -s tmobile
OUI lookup for 00:19:07:5B:36:92...
Cisco Systems
80 West Tasman Dr.
SJ-M/1
San Jose CA 95134
UNITED STATES
Google Map URL (paste into browser):
http://maps.google.com/maps?q=38.9454029,+-77.4444937+%28tmobile%29&iwloc=A&hl=en
Pretty sweet...
So basically, here's how it works....during the course of an exam, you may determine that the system was used to connect to multiple wireless access points (WAPs). As discussed earlier, there may be more than just the SSID of the WAP recorded in the Registry...for example, the MAC address of the WAP is also recorded. Pretty neat.
So what? So you have a MAC address...what would you do with this information? Look up the vendor? Well...that's a start, as it can help you confirm that you do, in fact, have the right type of device. But in a few easy steps, you may be able to find out where that WAP is physically located. I put heavy emphasis on may because this isn't a 100% done deal...but it is way kewl nonetheless.
So the steps go a little something like this...
1. Run RegRipper (or rip or even ripXP) against the Software hive to get the SSID and MAC address of the WAP, as well as the last time the WAP was connected to. For XP systems, the updated ssid plugin is what you want to use, and for Vista and above systems, I wrote a plugin called networklist.
Note: There's a date associated with the SSID within the binary data of the Registry value on XP systems...however, I have no idea what this date means. On Vista systems and above, the MAC address has a distinct value (ie, does not need to be stripped out of a binary data stream), and a date/time stamp that indicates when the WAP was last connected to.
As an example, here's the data I retrieved from an XP system:
Launching ssid v.20090807
SSID
Microsoft\WZCSVC\Parameters\Interfaces
NIC: 11a/b/g Wireless LAN Mini PCI Express Adapter
Key LastWrite: Thu Feb 7 10:38:43 2008 UTC
Wed Oct 3 16:44:25 2007 tmobile MAC: 00-19-07-5B-36-92
For completeness sake, the output of the networklist plugin looks like this:
Launching networklist v.20090811
Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles
linksys
Key LastWrite : Mon Feb 18 16:02:48 2008 UTC
DateLastConnected: Mon Feb 18 11:02:48 2008
DateCreated : Sat Feb 16 12:02:15 2008
DefaultGatewayMac: 00-0F-66-58-41-ED
2. Submit your MAC address to the SkyHook WiFi Geolocation database...for metropolitan areas, you may get a lat/long pair back...it's not guaranteed, of course.
C:\Perl>skyhook.pl 00-19-07-5B-36-92
Latitude = 38.9454029
Longitude = -77.4444937
Note: The code for skyhook.pl was based on this code...many thanks to Joshua! I'm doing this on Windows, and I couldn't find a version of XML::LibXML that installed on Windows, so I used XML::Simple. Also, I made a number of other modifications with respect to programming style, but Joshua did most of the heavy lifting.
3. Using the lat/long pair, create a URL for Google Maps (you can include some additional information, such as the SSID and date last connected), which will give you a map with a pushpin and any additional information you add. For multiple WAPs and to plot multiple pushpins on the same map, you may need to create a KML or KMZ file and host it someplace that can be reached by Google Maps, and then submit the appropriate URL (on the KML Update page, hover over the link that ends in cropcircles.kmz...).
For the WAP in our example, the URL might look like this. Here's an article that describes how WiFi geolocation can be used to recover stolen laptops.
Again, this isn't 100%. Not every area is mapped, and its highly unlikely that SOHO WAPs have been mapped. Still, if you can get something out of this, it might be useful.
Resources
Google Gears Geolocation API gets Wifi
SkyHook Wireless How It Works page
Firefox GeoLocation add-on
Addendum: Updated my Perl script tonight, thanks to input from Colin Shepard on Net::MAC::Vendor (for Windows, download the .tar.gz file, can extract the .pm file into site\lib\Net\MAC in your Perl install...). Now, the script takes either a WAP MAC address (if no SSID is provided, uses "Unknown") or the path to a file containing MAC addresses and SSIDs on single lines, separated by semi-colons. The output is any vendor and address information returned by the OUI lookup, and a URL that can be pasted into your browser window to get a Google Map (if lat/longs are available). For example:
C:\Perl>maclookup.pl -w 00:19:07:5B:36:92 -s tmobile
OUI lookup for 00:19:07:5B:36:92...
Cisco Systems
80 West Tasman Dr.
SJ-M/1
San Jose CA 95134
UNITED STATES
Google Map URL (paste into browser):
http://maps.google.com/maps?q=38.9454029,+-77.4444937+%28tmobile%29&iwloc=A&hl=en
Pretty sweet...